Readit News logoReadit News
rficcaglia commented on The SOC2 Starting Seven (2020)   latacora.micro.blog/... · Posted by u/Ballu
shuckles · 5 years ago
Vanta at least made me sign a separate contract with the auditor, so I’m not sure they’re making money on the difference. The policy docs indeed don’t seem very closely scrutinized, and I’d prioritize the service that can automate more for you. Vanta provided its own client monitoring application which exists alongside JAMF and seems to cover the same controls.
rficcaglia · 5 years ago
It's more that there is a market price for SOC2 that auditors can charge, and they are adding $20-25K to the price tag, so they need the auditors to subsidize that. At least when I talked to these firms, you could not bring your own audit firm. You had to go with theirs. Nothing wrong there and kudos to them for innovating on the pricing/biz dev, but you can pocket that savings yourself by negotiating the same price drop directly with the audit firm, and using your own scripts or open source to collect evidence. Vanta and Tugboat have nice UIs definitely. It's just the difference between buying a Honda vs. Mercedes. Not everyone cares about paying the lowest amount for a solution. If your budget affords high end convenience, go for it.
rficcaglia commented on The SOC2 Starting Seven (2020)   latacora.micro.blog/... · Posted by u/Ballu
masonhensley · 5 years ago
Yes, can you please share your list.

> open source versions of Vanta

... not aware of anything in this field. This has been on my "one day if I have time" lists to build.

rficcaglia · 5 years ago
ok will do - I will also post an actual (sanitized) Type 2 IRL so we can dispel the mystery and the need for experts. It's all straightforward stuff. But give me 24 hours since my family is giving me cross looks at spending more time online than with them on a holiday weekend ;)
rficcaglia commented on The SOC2 Starting Seven (2020)   latacora.micro.blog/... · Posted by u/Ballu
hellcow · 5 years ago
The reason we went with a company similar to Vanta (StrikeGraph) wasn't infosec. It was that SOC2 is enormous and spans beyond infosec, its controls and requirements are arcane, and having experts that have done this before set you up for success in your $50k, year-long investment to get to a Type 2 audit is hugely valuable.
rficcaglia · 5 years ago
$50K is too high, unless you had a lot of actual process gaps to fill initially and are counting staff time in that. Also expertise isn't really that important - honestly the auditors are often (not always) minimally trained and often don't have much experience in cloud. Having someone on staff that truly understands what your unique system and processes and can articulate and document how it is (or is not) operating securely is a better use of money. Spend the $50K on actual security (training, code reviews, red team exercises, learning about TTPs and allocating time in the dev and QA cycles for these considerations).

As others have said above, the compliance part will be a by-product and will essentially fall in place modulo some extra documentation effort (which can be heavily borrowed from templates).

Vanta and StrikeGraph etc no doubt will make it more convenient to follow best practices and scaffold your continuous monitoring, but I see it as a nice to have, not a must have.

rficcaglia commented on The SOC2 Starting Seven (2020)   latacora.micro.blog/... · Posted by u/Ballu
travisluis · 5 years ago
Any views on Vanta vs Tugboat Logic vs Laika? I’m trying to choose among them am leaning towards Tugboat Logic. It’s policies seem more thoroughly drafted and they let you test drive the platform, which none of the others allow. Vanta has more integrations but doesn’t currently do Jamf from what I can tell.
rficcaglia · 5 years ago
The policy docs are just filler. Auditors never look at them in any detail. They look for last revised date and last review date. Have bought $150 bundle online and submitted as-is without even replacing a single parameter and audit went fine.

but Vanta/Tugboat won't actually do the reviews and training and HR and executive reviews you need. Basically their deal is that they cut volume discounts with the audit firms and then take the rest. They have nice dashboards, don't get me wrong, but only their hand picked auditors will accept them. Others will require you to manually package up the same evidence anyway and upload to their IRL evidence system.

rficcaglia commented on The SOC2 Starting Seven (2020)   latacora.micro.blog/... · Posted by u/Ballu
sbinthree · 5 years ago
Some thoughts having just completed this:

* It costs $40k in year one and $30k/year in subsequent years if you do the now typical stack of Vanta, pen test, vulnerability monitoring and audit fees. This makes ROI pretty straight forward to figure out.

* There's really no benefit to getting Type 1, you just need to get the Type 1 posture and then wait out the monitoring period in order to get type 2. If the customers actually care, they are smart enough to know that it's a lot harder to fudge it for 6 months than it is for one four hour Zoom call.

* You can definitely get to about 60% of SOC2 just doing obvious best practice (code reviews, SSO, HTTPS only, database alerting). The next 20% is worthwhile but not intuitive, the final 20% is neither.

Agreed with the top comment about infosec teams being reasonable. At this point I think it would be pretty hard to do deals with public companies without having Type 2, and our domain isn't even that security focused.

rficcaglia · 5 years ago
Definitely paying too much @ $40K/$30K. Audit firms will cut their costs - don't take their first offer, it's a negotiation. Renegotiated down every year...they will want to reduce churn. Also, there are open source versions of Vanta and similar but those aren't really necessary - helpful - but not necessary. Same for pentests - I have had this conversation many times with SOC2 auditors to show me where it says you must have a pentest - many SOC2s later, never had to have one. That said customer contracts may require it, and some even specify the firms or onerous requirements for the chosen firms. We often argue Red Teaming exercises are better and win with that. I'll post a list of cost saving ideas up if anyone is interested. As for ROI - SOC2 is really only a sales enablement tool, nothing more. So it's really how many enterprise deals you will lose without SOC2 vs. how many you will win, and at what revenue. You can also negotiate transparently with your customer - most will say they want SOC2 but then if you add in extra cost to cover it, they back off. Until you have a 100K+ recurring (3 year ideally) deal ready to walk away, push back hard and be transparent with them on the added costs for paperwork. Offer to have a call with their security team and walk through your real security processes instead. Most customers are reasonable once you get past the outsourced procurement team. Helps to have a business sponsor who can cut through the red tape.
rficcaglia commented on Costco gained a cult following by breaking every rule of retail   thehustle.co/costco-membe... · Posted by u/yarapavan
whoopdedo · 6 years ago
But it requires you to allocate personal space to store those purchases. A second freezer, or larger cupboard. So greater pressure on real estate. If I'm economizing my living space I won't be shopping at Costco.
rficcaglia · 6 years ago
I agree here. Second freezer and lots of space for storage is a must. Not for tiny apartments. A suburban phenomenon mostly.
rficcaglia commented on Costco gained a cult following by breaking every rule of retail   thehustle.co/costco-membe... · Posted by u/yarapavan
lonelappde · 6 years ago
No one goes to Costco anymore, because it's too crowded, as the saying goes. It's become a victim of its own success.
rficcaglia · 6 years ago
from what I see, and do, people just go there early AM 5 min before it opens.

Avoids the folks who flock around the free handouts at lunchtime. Parking is easy. But you can’t wait even 1/2 hour past opening. Get in right as it opens.

rficcaglia commented on Costco gained a cult following by breaking every rule of retail   thehustle.co/costco-membe... · Posted by u/yarapavan
AznHisoka · 6 years ago
For me, it’s hard to find markets with salmon/steak as fresh as those found in costco.
rficcaglia · 6 years ago
Ditto for fish in Hawaii. We tried both a local “fresh off the boat” market and Costco on the same trip and Costco was definitely higher quality for local caught fish.

Same for salmon and halibut in Anchorage, Alaska.

rficcaglia commented on Costco gained a cult following by breaking every rule of retail   thehustle.co/costco-membe... · Posted by u/yarapavan
jasode · 6 years ago
>Also, the vast majority of retail shrinkage is employee theft;

I did a cursory google on this and of the 5 random sources I looked at, they said the majority of shrinkage is customer shoplifting. Did you come across something reputable that concluded differently?

rficcaglia · 6 years ago
I dunno about majority internal vs shoplifting but I saw a Kroger internal report once that ~2% revenues lost annually to “loss”. It was not broken down by category, but it was the preface to a 4 hour presentation on employee loss prevention techniques, so I’m connecting dots...
rficcaglia commented on Costco gained a cult following by breaking every rule of retail   thehustle.co/costco-membe... · Posted by u/yarapavan
projektfu · 6 years ago
I've never seen marked aisles aside from the number. I always assumed it's because Costco wants you to visit every aisle.
rficcaglia · 6 years ago
Agree. They also move items around. So you can’t just zoom to the one item you need, you have to go hunt.
r

u/rficcaglia

KarmaCake day244August 30, 2009
About
New stuff coming soon!
View Original